US20120257747A1 - Method of secure cryptographic calculation, in particular, against attacks of the dfa and unidirectional type, and corresponding component - Google Patents

Method of secure cryptographic calculation, in particular, against attacks of the dfa and unidirectional type, and corresponding component Download PDF

Info

Publication number
US20120257747A1
US20120257747A1 US13/441,180 US201213441180A US2012257747A1 US 20120257747 A1 US20120257747 A1 US 20120257747A1 US 201213441180 A US201213441180 A US 201213441180A US 2012257747 A1 US2012257747 A1 US 2012257747A1
Authority
US
United States
Prior art keywords
masked
list
data
random quantities
random
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US13/441,180
Other versions
US8958556B2 (en
Inventor
Pierre Yvan Liardet
Fabrice Romain
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
STMicroelectronics Rousset SAS
Original Assignee
STMicroelectronics Rousset SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by STMicroelectronics Rousset SAS filed Critical STMicroelectronics Rousset SAS
Assigned to STMICROELECTRONICS (ROUSSET) SAS reassignment STMICROELECTRONICS (ROUSSET) SAS ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LIARDET, PIERRE YVAN, ROMAIN, FABRICE
Publication of US20120257747A1 publication Critical patent/US20120257747A1/en
Application granted granted Critical
Publication of US8958556B2 publication Critical patent/US8958556B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/004Countermeasures against attacks on cryptographic mechanisms for fault attacks

Definitions

  • the present invention relates to a secure method of cryptographic calculation employing a secret or private key, and to a component implementing such a secure method.
  • the following algorithms may be implemented: the DES or AES algorithm, a cryptographic calculation algorithm exhibiting the 1-complement property of DES, such as, for example, an algorithm based on a Feistel network.
  • a Feistel algorithm performs a block symmetric encryption and is characterized, in particular, by similar or indeed identical encryption and decryption operations.
  • An exemplary Feistel algorithm is the DES algorithm and its diverse variations.
  • Other algorithms are known by the names LOKI and GHOST.
  • the components used to implement a secure method relate to, in particular, applications where access to services and/or to data is severely controlled. These components usually have an architecture formed around a microprocessor and a program memory comprising, in particular, the secret key.
  • Such components are, for example, used in chip cards. In particular, these components may be used for banking type applications by way of a control terminal or remotely. Such components use one or more methods of encipherment employing a secret or private key to calculate output data on the basis of input data. Such a method is, for example, used to encrypt, decrypt, sign an input message or else verify the signature of the input message.
  • secret or private key encipherment methods are constructed so that it is not possible to determine the secret key used on the basis of the knowledge of the input data and/or of the output data of the algorithm.
  • the security of a component relies on its ability to keep hidden the secret key that it uses.
  • a frequently used method is the DES (Data Encryption Standard) type method. It makes it possible, for example, to provide an encrypted message MS (or output data) coded on 64 bits, on the basis of a plaintext message ME (input data) also coded on 64 bits and of a 56-bit secret key K 0 .
  • DES Data Encryption Standard
  • DES DATA ENCRYPTION STANDARD
  • FIPS PUB 46-3 FIPS PUB 46-3
  • FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION 25 Oct. 1999, U.S. DEPARTMENT OF COMMERCE, National Institute of Standards and Technology.
  • a DFA attack uses fault injection, for example, by way of a laser ray, so as to reach one or more bits of a temporary result of the calculation in a register so as to modify the value thereof.
  • a DFA attack using double fault injection makes it possible to circumvent protection by a method of cryptographic calculation which provides for verification of the calculation by a recalculation and a verification step.
  • An inverse calculation and a verification step may be performed instead.
  • Disturbances may be generated, for example, with the aid of the laser beam (repeated until enough spoiled digits or bits are obtained to conduct a DFA attack).
  • a first first disturbance a) may be on the penultimate round of the first DES (or the second round of the DES ⁇ 1 ).
  • a second disturbance b) may be on the penultimate round of the second DES (or the second round of the DES ⁇ 1 ) with the same disturbance characteristics as in a).
  • DPA Differential Power Analysis
  • An approach for protecting oneself against an attack of the DPA type includes performing a random masking of the data path, and in particular, of the SBOX operator present in this data path. Such an approach is, for example, described in European patent no. 1358732.
  • a method of secure cryptographic calculation to protect a component is provided.
  • the method may be incorporated into a chip card, and implement a redundant cryptographic calculation and a verification against a physical attack of the DFA (Differential Fault Analysis) type.
  • DFA Different Fault Analysis
  • Such an attack uses a double fault to spoil the two calculations in order to obtain information about the secret or private key.
  • an embodiment is provided to thwart an attacker who would effect an identical disturbance at two chosen instants. This may be It is advantageous to protect against fault attacks of a “safe error” type without compromising protection from masking by a random quantity necessary to guard against side channel analysis (DPA, DEMA, etc.).
  • DPA side channel analysis
  • the method of secure cryptographic calculation may comprise the following:
  • a formulation of a first list of first random quantities a formulation of a first non-linear substitution operator (for example, an SBOX operator) masked with the aid of a part at least of the first list;
  • a first non-linear substitution operator for example, an SBOX operator
  • a cryptographic calculation algorithm comprising N rounds of calculation carried out successively to obtain output data on the basis of input data and of a secret key, for example, a preferably symmetric, encryption or decryption algorithm, for example, DES, AES or one of their variations, with the data path of the algorithm being masked;
  • a secret key for example, a preferably symmetric, encryption or decryption algorithm, for example, DES, AES or one of their variations, with the data path of the algorithm being masked;
  • one of the two implementations comprising a masking of the data path of the algorithm involving the first list of first random quantities and the first masked non-linear substitution operator, with the other implementation comprising a masking of the data path of the algorithm involving the second list of second random quantities and the second masked non-linear substitution operator, and after the two implementations of the algorithm;
  • a verification of consistency between the two implementations or executions such as, for example, a verification of equality between two data taken from among the data involved in the two implementations.
  • the data involved may be the input data and the output data of the two implementations.
  • the choice of the data to be verified depends whether the implementation of the algorithm is an encryption or a decryption.
  • the verification step mentioned above comprises the verification of equality between the two encrypted (enciphered) output data.
  • the verification step mentioned above comprises the verification of equality between the input data (plaintext) used during the first implementation and the output data (plaintext: decrypted) obtained on completion of the second implementation.
  • the verification step mentioned above comprises the verification of equality between the (encrypted) input data used during the first implementation and the (encrypted) output data obtained on completion of the second implementation.
  • the second random quantities may be deduced from the first random quantities in various ways, for example, through a 1-complement operation, through an incrementation by 1 or else by performing an EXCLUSIVE OR (XOR) of each first random quantity with a constant. These examples are not exhaustive.
  • the invention can also be understood as a method of protection within an electronic circuit, of an item of information, for example, a key, in an algorithm, preferably symmetric, for encrypting or decrypting a message (input data) implemented within an electronic component.
  • the method may comprise the following:
  • a verification of consistency between the two implementations or executions such as, for example, a verification of equality between two data taken from among the data involved in the two implementations.
  • the method furthermore comprises the following:
  • step of verification of consistency between the two implementations or executions with verification performed, for example, on two data taken from among the data involved in the two implementations, with the data possibly being data masked by the first bit or else demasked by the first bit,
  • Such a mode of implementation allows simultaneous protection against several attacks.
  • the choice in the two implementations, of one or the other of the two lists and of the corresponding masked substitution operator can depend on the value of a second randomly drawn bit.
  • an electronic component or circuit comprises means or circuitry adapted for implementing the cryptographic calculation or protection method as defined above.
  • a chip card incorporates such an electronic component or circuit.
  • FIG. 1 schematically illustrates an exemplary masked data path of a round of rank i of an algorithm of the DES type according to the invention
  • FIGS. 2 to 5 relate to various modes of implementation and embodiment of a method and of a component according to the invention.
  • FIG. 1 the data path is masked by two random numbers X 1 , X 2 .
  • E and P are respectively an expansion and a permutation that are commonly used in a known DES algorithm.
  • XOR designates the EXCLUSIVE OR function.
  • a new non-linear operator SBOX 2 is calculated via the relation:
  • a disturbance undetected by the methods described in patent application FR No. 09/57783 or in patent application FR No. 08/53198 is a disturbance effected in zone 2 , as represented in FIG. 1 .
  • This benefits from the characteristic that the masks relating to the bits of the flow that are affected by the fault are identical. This may be so when considering a single bit, the probability of such an event is 1 ⁇ 2. When considering more bits the attacker will have a good probability of obtaining favorable instances with sufficient trials. In other words, wise in this zone 2 , the data are identical during the two redundant algorithmic instances.
  • the attacker's probability of success depends above all on his ability to reproduce the disturbance at the same moment, or at a moment leading to the same effect).
  • a method for which the attacker who undertakes a double injection of faults on a component implementing two redundant algorithmic instances (for example DES DES, or DES DES ⁇ 1 , or DES ⁇ 1 DES) will no longer be able to obtain undetected and exploitable disturbances for a DFA attack.
  • a component implementing two redundant algorithmic instances for example DES DES, or DES DES ⁇ 1 , or DES ⁇ 1 DES
  • this aspect is distinguished from a first approach that includes in a multiplication of the instances of DES so as to reduce the probability of the attacker producing a multitude of identical faults, or in a choice of a random number of instances (of implementations of the DES).
  • This aspect of the invention is also distinguished from a second approach which makes provisions to use protection based on random masking by renewing the random quantities between the two instances of DES.
  • a drawback of the first approach is on the one hand that the performance will be particularly degraded, and on the other hand that the counter-measure does not prevent the attacker from making the attack but renders it more difficult without being able to measure the difficulty scale.
  • the protection is “total”. More precisely, to guard against a double fault DFA attack, there is a provision according to one mode of implementation ( FIG. 2 ) for the following:
  • a formulation 20 of a first list of first random quantities R (the random numbers X 1 , X 2 of FIG. 1 , or else the random numbers X 1 , X 2 , X 3 used in EP no. 1358732 are, for example, the first random quantities of the list R);
  • a formulation 22 of a second list R C complement of the first list and comprising second random quantities respectively, for example, 1-complements of the first random quantities, (as indicated above the 1-complement is not the only possibility for deducing the second random quantities from the first; it is indeed possible, in particular, to perform an incrementation by 1 or else an EXCLUSIVE OR (XOR) of each first random quantity with a constant);
  • At least two successive implementations of the DES algorithm with the data path masked for example, according to FIG. 1 or according to EP no. 1358732, with one of the two implementations 24 (DES R ) comprising a masking of the data path of the algorithm involving the first list of first random quantities R and the first masked non-linear substitution operator SBOX R ;
  • the other implementation 25 comprising a masking of the data path of the algorithm involve the second list of second random quantities R C and the second masked non-linear substitution operator SBOX R C ;
  • Non-equality between the two data signifies that the component has undergone a disturbance.
  • measures such as a functional disabling of the component, may be taken.
  • Random masking of the data flow of a DES implementation makes it possible to protect the DES against attacks of the DPA or DEMA type. More precisely, with this random masking
  • M designates a 64-bit message (input data)
  • K is a 56-bit key encoded on 64 bits
  • R is the list of first random quantities
  • C is the result of the encryption of the message M
  • K and DES R designating a DES implementation carried out according to a masking method such as that illustrated in FIG. 1 or else described in EP no. 1358732.
  • 0xNN designates hexadecimal notation with 0 ⁇ N ⁇ F (for example, 128 may be written 0x80).
  • R designates the list of random quantities r i necessary to carry out DES R .
  • a′ designates the 1-complement of a (if a equals 0 the 1-complement equals 1 and vice versa).
  • r i C is therefore here the 1-complement of r i .
  • designates the bitwise XOR function.
  • r i will be chosen different from 0 and from FF.
  • the random numbers X 1 , X 2 of FIG. 1 , or else the random numbers X 1 , X 2 , X 3 used in EP no. 1358732 are, for example, the random quantities r i of the list R.
  • DES R C designates a DES implementation carried out according to a masking method such as illustrated in FIG. 1 or else such as described in EP no. 1358732 involving a list of random quantities R C , while DES R designates this same DES implementation involving the list of random quantities R.
  • SBOX R C designates the SBOX values masked according to the list R C when SBOX R designates the SBOX values masked according to the list R.
  • the protocol is as follows:
  • This method further comprises:
  • DES R or DES R C a first implementation 33 of the algorithm (DES R or DES R C ) involving one of the two lists of random quantities, and the corresponding masked non-linear substitution operator;
  • the verification could be performed on the non-demasked data.
  • C′ DES(M,K)
  • C′ designates the 1-complement of C
  • C′ designates the 1-complement of C
  • designates the bitwise XOR (EXCLUSIVE OR)
  • M designates the message
  • K the DES key coded on 64 bits.
  • This other mode of implementation harnesses the above two properties so as to thwart an attacker who would effect an identical disturbance at two chosen instants. This is while preserving the properties of protection against fault attacks of “safe error” type and also without compromising the protection from masking by a random quantity necessary to guard against side channel analysis (DPA, DEMA, etc.).
  • DPA side channel analysis
  • KEY is the key register of the DEE R implementation (KEY is represented on 64 bits);
  • RDATA is the register for data input to and output from the cell which carries out DES R ;
  • TEMP is a register or memory.
  • the protocol is as follows:
  • Random drawing of two bits bit b 1 and b 2 b 1 serves to complement the message and the key b 2 serves as indicated hereinabove to alternate the use of DES R and DES R C
  • the key is represented on 64 bits, whereas it comprises only 56 is entirely conventional and makes it possible not to distinguish the mask on the key and the mask on the data.
  • the calculation of SBOX R (resp of SBOX R C ) may be done at 9 and 10 during the execution of DES R (resp DES R C ).
  • A is a random byte and A′ is its 1-complement.
  • A is stored in a register T (step 40 ).
  • T ⁇ M is stored in T ( ⁇ M is therefore performed) (step 41 ).
  • T ⁇ A is stored in T ( ⁇ M ⁇ A is therefore performed which is equal to M) (step 42 ).
  • A is stored in T (step 400 ).
  • T ⁇ M is stored in T ( ⁇ M is therefore performed) (step 401 ).
  • T ⁇ A′ is stored in T ( ⁇ M ⁇ A′ is therefore performed which is equal to ⁇ M ⁇ 0xFF which is equal to M ⁇ 0xFF) (step 402 ).
  • step b in Sequence(b 1 _param, b 2 _param) above the calculation is effected once with SBOX R C (therefore masked according to R C ) and another time with SBOX R (therefore masked according to R), whereas the data and keys are initially masked according to the same mask Mask[b 1 ].
  • the attacker will not be able to obtain a disturbance undetected by the verification of point 11 of the protocol, and the component also benefits from protection against “safe-errors” since the property of alternating representation of the key is adhered to.
  • any modification in the logic which will result from a disturbance during the first instance of the DES and which will modify the data masked according to the first randomly chosen mask, will not be able with an identical effect during the second instance of the DES to modify in the same manner the data masked by the complementary mask.
  • the attacker When the attacker applies his attack to a component implementing a method according to the invention, the latter will obtain a fault detection which depends either on the sequence executed if the disturbance takes place in zone 1 (and not on the key used), or a systematic detection if the disturbance is situated in zone 2 .
  • the attacker who undertakes an attack of the “safe error” type will obtain faults which are detected and undetected independently of the key bits, thus not allowing him to deduce information about the key k-bits targeted.
  • protection can also be implemented with several key registers.
  • the method according to the invention may be implemented in software within a component CMP or electronic circuit comprising a processor MT ( FIG. 5 ) embodied, for example, by one or more software modules implemented within a microprocessor.
  • a computer program product is directly loadable into a memory of a computerized system, for example, the processor and its associated memories.
  • the computer program product comprises portions of software code for the execution of the method, such as defined above when the program is executed on the computerized system.
  • Yet another aspect is directed to a medium readable by a computerized system that includes computer-executable instructions adapted to cause the execution by the computerized system of the method as defined above.
  • An electronic circuit may be incorporated into a chip card or microcircuit card CP, for example.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A method of secure cryptographic calculation includes formulating a first list of first random quantities, formulating a first non-linear substitution operator masked with at least part of the first list, and formulating a second list determined from the first list. The second list includes second random quantities respectively determined from the first random quantities. A second non-linear substitution operator masked with at least part of the second list is formulated. At least two successive implementations of a cryptographic calculation algorithm are performed that includes N rounds of calculations carried out successively to obtain output data based on input data and of a secret key, with a data path of the cryptographic calculation algorithm being masked.

Description

    FIELD OF THE INVENTION
  • The present invention relates to a secure method of cryptographic calculation employing a secret or private key, and to a component implementing such a secure method.
  • In particular, but not exclusively, the following algorithms may be implemented: the DES or AES algorithm, a cryptographic calculation algorithm exhibiting the 1-complement property of DES, such as, for example, an algorithm based on a Feistel network.
    • BACKGROUND OF THE INVENTION
  • A Feistel algorithm performs a block symmetric encryption and is characterized, in particular, by similar or indeed identical encryption and decryption operations. An exemplary Feistel algorithm is the DES algorithm and its diverse variations. Other algorithms are known by the names LOKI and GHOST.
  • The components used to implement a secure method relate to, in particular, applications where access to services and/or to data is severely controlled. These components usually have an architecture formed around a microprocessor and a program memory comprising, in particular, the secret key.
  • Such components are, for example, used in chip cards. In particular, these components may be used for banking type applications by way of a control terminal or remotely. Such components use one or more methods of encipherment employing a secret or private key to calculate output data on the basis of input data. Such a method is, for example, used to encrypt, decrypt, sign an input message or else verify the signature of the input message.
  • To ensure the security of transactions, secret or private key encipherment methods are constructed so that it is not possible to determine the secret key used on the basis of the knowledge of the input data and/or of the output data of the algorithm. However, the security of a component relies on its ability to keep hidden the secret key that it uses.
  • A frequently used method is the DES (Data Encryption Standard) type method. It makes it possible, for example, to provide an encrypted message MS (or output data) coded on 64 bits, on the basis of a plaintext message ME (input data) also coded on 64 bits and of a 56-bit secret key K0.
  • The algorithm of the DES type is well known to the person skilled in the art. The latter may refer, for example, for all useful purposes to the document entitled DATA ENCRYPTION STANDARD (DES), FIPS PUB 46-3, FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION, 25 Oct. 1999, U.S. DEPARTMENT OF COMMERCE, National Institute of Standards and Technology.
  • Various types of attacks on an implementation (of DES, for example) of a cryptography algorithm are possible. An attack of the DFA (Differential Fault Analysis) type may be cited. This type of attack has formed the subject of several publications. It is, in particular, possible to refer to the article by Shamir and Biham entitled “Differential Fault Analysis of Secret Key Cryptosystems”, lecture note in computer science, 1294: pages 513-525, 1997.
  • A DFA attack uses fault injection, for example, by way of a laser ray, so as to reach one or more bits of a temporary result of the calculation in a register so as to modify the value thereof.
  • A DFA attack using double fault injection makes it possible to circumvent protection by a method of cryptographic calculation which provides for verification of the calculation by a recalculation and a verification step. An inverse calculation and a verification step may be performed instead.
  • A summary description of this type of attack is as follows. The successive DESs (where DES DES−1 according to the counter-measure implemented) may be logged. This step is done using tools, such as the tracing of current or the electromagnetic radiation of the attacked component.
  • Disturbances may be generated, for example, with the aid of the laser beam (repeated until enough spoiled digits or bits are obtained to conduct a DFA attack). A first first disturbance a) may be on the penultimate round of the first DES (or the second round of the DES−1). A second disturbance b) may be on the penultimate round of the second DES (or the second round of the DES−1) with the same disturbance characteristics as in a).
  • In exploitation, the attacker conducts a DFA attack with the messages collected during the repetition of the second disturbance mentioned above. Disturbances a) and b) need to induce the same effect so that the verification cannot detect the error introduced. This requires that the attacker reproduce the same error, exactly twice, at locations which correspond in the algorithm and in the verification algorithm.
  • Another type of attack by injections of faults on a register or a storage element is known by the term unidirectional disturbance (Safe Error Attack). Patent application FR No. 10/51205 filed Feb. 19, 2010 in the name of the applicant describes such an attack and a corresponding protection approach.
  • Other approach to protecting against such an attack is described in patent application FR No. 09/57783 filed on Nov. 4, 2009 and patent application FR No. 08/53198 filed on May 16, 2008.
  • Another type of attack well known to the person skilled in the art is a side channel attack, known by the term DPA (Differential Power Analysis). Reference may be made to the article by P. Kocher and others entitled Differential Power Analysis.
  • An approach for protecting oneself against an attack of the DPA type includes performing a random masking of the data path, and in particular, of the SBOX operator present in this data path. Such an approach is, for example, described in European patent no. 1358732.
  • Currently, it is possible for an attacker to produce at two precise instants the same disturbance which might perhaps foil the counter-measures described in patent application FR No. 09/57783 or in patent application FR No. 08/53198.
  • Moreover, in spite of the random masking of the SBOX operator described in EP no. 1358732, it is possible for an attacker to conduct a physical attack of the DFA (Differential Fault Analysis) type whether it uses a simple or a double fault.
    • SUMMARY OF THE INVENTION
  • According to one mode of implementation, a method of secure cryptographic calculation to protect a component is provided. The method, for example, may be incorporated into a chip card, and implement a redundant cryptographic calculation and a verification against a physical attack of the DFA (Differential Fault Analysis) type. Such an attack uses a double fault to spoil the two calculations in order to obtain information about the secret or private key.
  • According to another mode of implementation, an embodiment is provided to thwart an attacker who would effect an identical disturbance at two chosen instants. This may be It is advantageous to protect against fault attacks of a “safe error” type without compromising protection from masking by a random quantity necessary to guard against side channel analysis (DPA, DEMA, etc.).
  • According to one aspect, the method of secure cryptographic calculation may comprise the following:
  • a formulation of a first list of first random quantities, a formulation of a first non-linear substitution operator (for example, an SBOX operator) masked with the aid of a part at least of the first list;
  • a formulation of a second list deduced from the first list and comprising second random quantities respectively deduced from the first random quantities;
  • a formulation of a second non-linear substitution operator masked with the aid of part of at least the second list;
  • at least two successive implementations of a cryptographic calculation algorithm comprising N rounds of calculation carried out successively to obtain output data on the basis of input data and of a secret key, for example, a preferably symmetric, encryption or decryption algorithm, for example, DES, AES or one of their variations, with the data path of the algorithm being masked;
  • one of the two implementations comprising a masking of the data path of the algorithm involving the first list of first random quantities and the first masked non-linear substitution operator, with the other implementation comprising a masking of the data path of the algorithm involving the second list of second random quantities and the second masked non-linear substitution operator, and after the two implementations of the algorithm; and
  • a verification of consistency between the two implementations or executions such as, for example, a verification of equality between two data taken from among the data involved in the two implementations.
  • The data involved may be the input data and the output data of the two implementations. The choice of the data to be verified depends whether the implementation of the algorithm is an encryption or a decryption.
  • Thus, if the algorithm is applied to plaintext input data, then encrypted output data will be obtained. If the algorithm is applied to encrypted input data, plaintext output data will be obtained.
  • It is thus possible to perform the two implementations by using the same plaintext input data twice. Thus, for example, the DES is implemented twice. In this case the verification step mentioned above comprises the verification of equality between the two encrypted (enciphered) output data.
  • It is also possible to perform a first implementation with plaintext input data and the second implementation with the encrypted output data, obtained after the first implementation, as input data. Thus, for example, the DES is implemented the first time and then the DES−1. In this case the verification step mentioned above comprises the verification of equality between the input data (plaintext) used during the first implementation and the output data (plaintext: decrypted) obtained on completion of the second implementation.
  • It is also possible to perform a first implementation with encrypted input data and the second implementation with the plaintext (decrypted) output data, obtained after the first implementation, as input data. Thus, for example, the DES−1 is implemented the first time and then the DES. In this case the verification step mentioned above comprises the verification of equality between the (encrypted) input data used during the first implementation and the (encrypted) output data obtained on completion of the second implementation.
  • It is thus possible to guard against a DFA attack using a double fault. The second random quantities may be deduced from the first random quantities in various ways, for example, through a 1-complement operation, through an incrementation by 1 or else by performing an EXCLUSIVE OR (XOR) of each first random quantity with a constant. These examples are not exhaustive.
  • According to another aspect, the invention can also be understood as a method of protection within an electronic circuit, of an item of information, for example, a key, in an algorithm, preferably symmetric, for encrypting or decrypting a message (input data) implemented within an electronic component. The method may comprise the following:
  • a formulation of a first list of first random quantities, a formulation of a first non-linear substitution operator masked with the aid of a part of at least the first list;
  • a formulation of a second list deduced from the first list and comprising second random quantities respectively deduced from the first random quantities, a formulation of a second non-linear substitution operator masked with the aid of a part of at least the second list;
  • at least two successive implementations of the algorithm, with the data path of the algorithm being masked, with one of the two implementations comprising a masking of the data path of the algorithm involving the first list of first random quantities and the first masked non-linear substitution operator, and with the other implementation comprising a masking of the data path of the algorithm involving the second list of second random quantities and the second masked non-linear substitution operator; and
  • after the two implementations of the algorithm, a verification of consistency between the two implementations or executions, such as, for example, a verification of equality between two data taken from among the data involved in the two implementations.
  • According to one mode of implementation compatible with a cryptographic calculation algorithm (encryption or decryption) exhibiting the 1-complement property of DES, such as, for example, the triple DES algorithm or else the algorithms based on a Feistel network, the method furthermore comprises the following:
  • a random drawing of at least one first bit;
  • an initial masking of the input data with the aid of the first bit so as to obtain a masked input data;
  • a masking of the key with the aid of the first bit so as to obtain a masked key;
  • a first implementation of the algorithm involving the masked input data and the masked key as well as one of the two lists of random quantities and the corresponding masked non-linear substitution operator;
  • a second implementation of the algorithm involving the masked input data, and the masked key as well as the other list of random quantities and the other masked non-linear substitution operator; and
  • the step of verification of consistency between the two implementations or executions, with verification performed, for example, on two data taken from among the data involved in the two implementations, with the data possibly being data masked by the first bit or else demasked by the first bit,
  • Such a mode of implementation allows simultaneous protection against several attacks. The choice in the two implementations, of one or the other of the two lists and of the corresponding masked substitution operator can depend on the value of a second randomly drawn bit.
  • For example, an attacker will no longer be capable of disturbing in a precise and repetitive manner (with the same effects on the registers or the internal logic of the attacked circuit) the two redundant algorithmic instances (for example: DES-DES; DES-DES−1; DES−1-DES) implemented in the protection, so as to obtain spoiled data (despite the verification performed) exploitable within the framework of DFA. Neither will it be possible any longer for this attacker to apply a “safe-error” to the bits of the key registers.
  • According to another aspect, an electronic component or circuit comprises means or circuitry adapted for implementing the cryptographic calculation or protection method as defined above. According to yet another aspect, a chip card incorporates such an electronic component or circuit.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Other advantages and characteristics of the invention will be apparent on examining nonlimiting modes of implementation and embodiments and the appended drawings.
  • FIG. 1 schematically illustrates an exemplary masked data path of a round of rank i of an algorithm of the DES type according to the invention; and
  • FIGS. 2 to 5 relate to various modes of implementation and embodiment of a method and of a component according to the invention.
    •  DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
  • In FIG. 1 the data path is masked by two random numbers X1, X2. E and P are respectively an expansion and a permutation that are commonly used in a known DES algorithm. XOR designates the EXCLUSIVE OR function.
  • A new non-linear operator SBOX2 is calculated via the relation:

  • SBOX2=FCT(SBOX,X1,X2)
  • where SBOX is the non-linear operator used in a known DES method, and FCT is a function such that:

  • SBOX2(A XOR X1)=SBOX(A)XOR X2 for all A.
  • That said, although FIG. 1 relates to the XOR operator, the latter is not the only possible operator, and the function FCT may be such that SBOX2 (A@X1)=SBOX(A)#X2 for all A, in which @ and # are linear mixture operators, where @ and # may differ from one another. These operators can have, in particular, the properties described in EP no. 1358732.
  • More precisely, if we take for example the operator @, it is chosen linear with respect to the variables that it mixes and exhibits. In general, the following properties may be applicable, regardless of the data A, B, C:
  • @ is of arity two: it takes two arguments as parameters;
    @ satisfies: E(A@B)=E(A)@E(B), with E being a linear operator; and
    @ satisfies (A XOR B)@C=A XOR (B@C)
  • There exists an operator @−1, the inverse of @, such that (A@B)@−1A=B, where @ and @−1 may optionally be identical.
  • Any other random masking of the data path is possible, in particular, as the one described in EP no. 1358732.
  • A disturbance undetected by the methods described in patent application FR No. 09/57783 or in patent application FR No. 08/53198 is a disturbance effected in zone 2, as represented in FIG. 1. This benefits from the characteristic that the masks relating to the bits of the flow that are affected by the fault are identical. This may be so when considering a single bit, the probability of such an event is ½. When considering more bits the attacker will have a good probability of obtaining favorable instances with sufficient trials. In other words, wise in this zone 2, the data are identical during the two redundant algorithmic instances.
  • The attacker's probability of success depends above all on his ability to reproduce the disturbance at the same moment, or at a moment leading to the same effect).
  • According to one aspect of the invention, a method is provided for which the attacker who undertakes a double injection of faults on a component implementing two redundant algorithmic instances (for example DES DES, or DES DES−1, or DES−1 DES) will no longer be able to obtain undetected and exploitable disturbances for a DFA attack.
  • As will be seen in greater detail below, this aspect is distinguished from a first approach that includes in a multiplication of the instances of DES so as to reduce the probability of the attacker producing a multitude of identical faults, or in a choice of a random number of instances (of implementations of the DES).
  • This aspect of the invention is also distinguished from a second approach which makes provisions to use protection based on random masking by renewing the random quantities between the two instances of DES.
  • A drawback of the first approach is on the one hand that the performance will be particularly degraded, and on the other hand that the counter-measure does not prevent the attacker from making the attack but renders it more difficult without being able to measure the difficulty scale.
  • The second approach for its part very slightly reduces the probability of the attacker obtaining pairs in step 2 (disturbances) of the summary description of the double fault DFA attack mentioned above.
  • Conversely, with this aspect of the invention the protection is “total”. More precisely, to guard against a double fault DFA attack, there is a provision according to one mode of implementation (FIG. 2) for the following:
  • a formulation 20 of a first list of first random quantities R (the random numbers X1, X2 of FIG. 1, or else the random numbers X1, X2, X3 used in EP no. 1358732 are, for example, the first random quantities of the list R);
  • a formulation 21 of a first non-linear substitution operator SBOXR masked with the aid of a part of at least the first list;
  • a formulation 22 of a second list RC, complement of the first list and comprising second random quantities respectively, for example, 1-complements of the first random quantities, (as indicated above the 1-complement is not the only possibility for deducing the second random quantities from the first; it is indeed possible, in particular, to perform an incrementation by 1 or else an EXCLUSIVE OR (XOR) of each first random quantity with a constant);
  • a formulation 23 of a second non-linear substitution operator SBOXR C masked with the aid of a part of at least the second list;
  • at least two successive implementations of the DES algorithm with the data path masked, for example, according to FIG. 1 or according to EP no. 1358732, with one of the two implementations 24 (DESR) comprising a masking of the data path of the algorithm involving the first list of first random quantities R and the first masked non-linear substitution operator SBOXR;
  • the other implementation 25 (DESR c) comprising a masking of the data path of the algorithm involve the second list of second random quantities RC and the second masked non-linear substitution operator SBOXR C; and
  • a verification (26) of equality between the two output data respectively obtained on completion of the two implementations of the algorithm. It has in fact been assumed that two encryption instances (DES-DES) have been effected on the same plaintext input data.
  • Non-equality between the two data signifies that the component has undergone a disturbance. In this case measures, such as a functional disabling of the component, may be taken. An exemplary protocol in accordance with this mode of implementation will now be described.
  • Random masking of the data flow of a DES implementation makes it possible to protect the DES against attacks of the DPA or DEMA type. More precisely, with this random masking

  • C=DES R(M,K,R,SBOX R)
  • where, for example, M designates a 64-bit message (input data), K is a 56-bit key encoded on 64 bits, R is the list of first random quantities, C is the result of the encryption of the message M, with the key K and DESR designating a DES implementation carried out according to a masking method such as that illustrated in FIG. 1 or else described in EP no. 1358732. This involves random quantities of the list R (generally two quantities of size 32 and 48 bits) and a substitution operation SBOXR (generally a table of 256 bytes) carried out in accordance with the quantities of the list R.
  • This masking is such that if the quantities of the list R (and consequently SBOXR) are changed at each call to DESR, the implementation obtained is not vulnerable to attacks of the DPA type since the entirety of the flow is masked by the random quantities chosen by internal methods, with these quantities being unknown to the attacker. However, as indicated above, on its own this implementation is vulnerable to a DFA attack.
  • Hereinafter the following notation is used:
  • Notation:
  • 0xNN designates hexadecimal notation with 0<N<F (for example, 128 may be written 0x80).
  • R designates the list of random quantities ri necessary to carry out DESR.
  • When a designates a bit, a′ designates the 1-complement of a (if a equals 0 the 1-complement equals 1 and vice versa).
  • Given a list R the notation RC designates the complement list that is to say, such that for each ri in R and each ri C in RC we have ri Ĉri=0xFF . . . FF.
  • ri C is therefore here the 1-complement of ri.
  • For example, it will be possible to construct R and RC on the basis of a list A of random numbers ai by taking for R the list of the values ri=ai, and respectively, for RC the list of the values ri C=aî0xFF . . . FF.
  • ̂ designates the bitwise XOR function.
  • Preferably ri will be chosen different from 0 and from FF.
  • The random numbers X1, X2 of FIG. 1, or else the random numbers X1, X2, X3 used in EP no. 1358732 are, for example, the random quantities ri of the list R.
  • With the above notation, DESR C designates a DES implementation carried out according to a masking method such as illustrated in FIG. 1 or else such as described in EP no. 1358732 involving a list of random quantities RC, while DESR designates this same DES implementation involving the list of random quantities R.
  • Thus, SBOXR C designates the SBOX values masked according to the list RC when SBOXR designates the SBOX values masked according to the list R.
  • The protocol is as follows:
  • 1. Random drawing of the list A of random numbers ai
  • 2. Construct R and RC on the basis of A
  • 3. Calculation of SBOXR
  • 4. Calculation of SBOXR C
  • 5. Verify that DESR C==DESR, that is, verify that the two output data respectively obtained by the implementation of DESR C and by the implementation of DESR are equal.
  • As a variation, it would be possible to reverse the order of steps 3 and 4 or to choose this order as a function of a random draw. As a variation, the calculation of SBOXR (resp of SBOXR C) may be done during the execution of DESR (resp DESR C).
  • So as to guard at the same time against a double fault DFA attack, and in particular, against an attack of the “safe error” type, there is a provision according to another mode of implementation illustrated in FIG. 3. This method further comprises:
  • a random drawing 30 of at least one first bit b1;
  • an initial masking 31 of the input data with the aid of the bit b1 so as to obtain masked input data (complemented with b1);
  • a masking 32 of the key with the aid of the bit b1 so as to obtain a masked key (complemented with b1; if b1=0 the masked key is the initial key and if b1=1 the masked key is complemented with 1);
  • a first implementation 33 of the algorithm (DESR or DESR C) involving one of the two lists of random quantities, and the corresponding masked non-linear substitution operator;
  • a second implementation 34 of the algorithm (DESR C or DESR) involving the other list of random quantities and the other masked non-linear substitution operator; and
  • a demasking 35 of each output data with the first bit b1 and a verification 36 on the two demasked output data.
  • That said, the verification could be performed on the non-demasked data.
  • It has also been assumed here that two encryption instances (DES-DES) have been effected on the same input data. This other mode of implementation uses a second property which is a property of DES relating to the 1-complement.
  • More precisely, if C=DES(M,K), then C′=DES(M′,K′) where C′ designates the 1-complement of C and it is then possible to retrieve C via the formula C=(DES(M′,K′))′, where for all X on 64 bits, X′=0xFFFFFFFFFFFFFFFF̂X, where ̂ designates the bitwise XOR (EXCLUSIVE OR), and M designates the message, and K the DES key coded on 64 bits.
  • This other mode of implementation harnesses the above two properties so as to thwart an attacker who would effect an identical disturbance at two chosen instants. This is while preserving the properties of protection against fault attacks of “safe error” type and also without compromising the protection from masking by a random quantity necessary to guard against side channel analysis (DPA, DEMA, etc.).
  • An exemplary protocol will now be described in accordance with this other mode of implementation, furthermore using a second bit b2 (FIG. 3) which will make it possible to choose the alternation of use of DESR and DESR C.
  • The notation above is supplemented with the following notation:
  • Mask[0]=0x0000000000000000 and Mask[1]=0xFFFFFFFFFFFFFFFF;
  • KEY is the key register of the DEER implementation (KEY is represented on 64 bits); and
  • RDATA is the register for data input to and output from the cell which carries out DESR; and
  • TEMP is a register or memory.
  • The protocol is as follows:
  • 1. Random drawing of two bits bit b1 and b2 b1 serves to complement the message and the key b2 serves as indicated hereinabove to alternate the use of DESR and DESR C
  • 2. Random drawing of the list A of random numbers ai
  • 3. Construct R and RC on the basis of A
  • 4. Calculation of SBOXR
  • 5. Calculation of SBOXR C
  • 6. Calculation of M[b1]=M̂Mask [b1]
  • 7. Calculation of K[b1]=K̂Mask [b1]
  • 8. Loading of KEY with K[b1]
  • 9. Do the sequence Sequence(b1,b2) C[1]=TEMP
  • 10. Do the sequence Sequence(b1,b2′) C[2]=TEMP
  • 11. Verification C[1]==C[2]
  • 12. Calculation of C[1]=C[2]̂Mask[b1]
  • In the foregoing Sequence(b1_param, b2_param) applied to the parameters b1_param and b2_param to calculate the content of TEMP is defined by:
  • a. Loading of M[b1_param] into RDATA
  • b. f b2_param 1 then execution of DESR C otherwise execution of DESR
  • c. Unloading RDATA into TEMP
  • It is appropriate to point out that the fact that the key is represented on 64 bits, whereas it comprises only 56 is entirely conventional and makes it possible not to distinguish the mask on the key and the mask on the data.
  • As a variation, the calculation of SBOXR (resp of SBOXR C) may be done at 9 and 10 during the execution of DESR (resp DESR C).
  • Moreover, as indicated above, whereas the verification is performed in the above protocol on the data C masked by the bit b1 (complemented with b1), it could also be performed, after demasking by the bit b1 of the masked data, on these demasked data.
  • It should be noted that in order that the attacker cannot distinguish a masking with b1=0 from a masking with b1=1, steps 6 and 7 are advantageously arranged in such a way that the attacker cannot distinguish the execution with b1=0 from that with b1=1.
  • In this regard it will be possible to use any known means such as, for example, an implementation of the type of that illustrated in FIG. 4.
  • In this figure A is a random byte and A′ is its 1-complement.
  • Calculation of M̂0x00
  • A is stored in a register T (step 40).
  • T̂M is stored in T (ÂM is therefore performed) (step 41).
  • T̂A is stored in T (ÂM̂A is therefore performed which is equal to M) (step 42).
  • M is therefore stored in T.
  • Calculation of M̂0xFF
  • A is stored in T (step 400).
  • T̂M is stored in T (ÂM is therefore performed) (step 401).
  • T̂A′ is stored in T (ÂM̂A′ is therefore performed which is equal to ÂM̂Â0xFF which is equal to M̂0xFF) (step 402).
  • M̂0xFF is therefore stored in T.
  • Thus, the two calculations of M̂0x00 and M̂0xFF each comprise substantially the same number of the transitions of bits, hence making it very difficult to discern them.
  • Moreover, during step b in Sequence(b1_param, b2_param) above, the calculation is effected once with SBOXR C (therefore masked according to RC) and another time with SBOXR (therefore masked according to R), whereas the data and keys are initially masked according to the same mask Mask[b1].
  • By taking account, for example, of the implementation described in EP no. 1358732 or else of that illustrated in FIG. 1: when b1=1, the execution of the DESR C is in zone 1 (FIG. 1) according to a masking corresponding to Mask[1]̂RC=R and in zone 2 (FIG. 1) according to a mask corresponding to RC. The execution of the DESR is in zone 1 (FIG. 1) according to a masking corresponding to Mask[1]̂R=RC and in zone 2 (FIG. 1) according to a mask corresponding to R.
  • Conversely, when b1=0, the execution of the DESR is in zone 1 (FIG. 1) according to a masking corresponding to Mask[0]̂R=R and in zone 2 (FIG. 1) according to a mask corresponding to Mask[0]̂R=R. The execution of the DESR C is in zone 1 (FIG. 1) according to a masking corresponding to Mask[0]̂RC=RC and in zone 2 (FIG. 1) according to a mask corresponding to RC.
  • The following two tables specify the maskings obtained during the execution of the protocol according to b1:
  • TABLE 1
    Case b1 = 0
    Masking in Masking in
    Operation Zone 1 Zone 2
    DESR (b2 = 0) R R
    DESR c (b2 = 1) Rc Rc
  • TABLE 2
    Case b1 = 1
    Masking in Masking in
    Operation Zone 1 Zone 2
    DESR (b2 = 0) Rc R
    DESR c (b2 = 1) R Rc
  • Thus, the attacker will not be able to obtain a disturbance undetected by the verification of point 11 of the protocol, and the component also benefits from protection against “safe-errors” since the property of alternating representation of the key is adhered to.
  • Indeed, any modification in the logic which will result from a disturbance during the first instance of the DES and which will modify the data masked according to the first randomly chosen mask, will not be able with an identical effect during the second instance of the DES to modify in the same manner the data masked by the complementary mask.
  • When the attacker applies his attack to a component implementing a method according to the invention, the latter will obtain a fault detection which depends either on the sequence executed if the disturbance takes place in zone 1 (and not on the key used), or a systematic detection if the disturbance is situated in zone 2. By virtue of these effects the attacker who undertakes an attack of the “safe error” type will obtain faults which are detected and undetected independently of the key bits, thus not allowing him to deduce information about the key k-bits targeted.
  • It should be noted that the protection can also be implemented with several key registers.
  • The method according to the invention may be implemented in software within a component CMP or electronic circuit comprising a processor MT (FIG. 5) embodied, for example, by one or more software modules implemented within a microprocessor.
  • In this regard, according to another aspect of the invention, a computer program product is directly loadable into a memory of a computerized system, for example, the processor and its associated memories. The computer program product comprises portions of software code for the execution of the method, such as defined above when the program is executed on the computerized system.
  • Yet another aspect is directed to a medium readable by a computerized system that includes computer-executable instructions adapted to cause the execution by the computerized system of the method as defined above.
  • An electronic circuit may be incorporated into a chip card or microcircuit card CP, for example.

Claims (17)

1-9. (canceled)
10. A method of secure cryptographic calculation comprising:
formulating a first list comprising first random quantities;
formulating a first non-linear substitution operator masked with at least part of the first list;
formulating a second list determined from the first list, and comprising second random quantities respectively determined from the first random quantities;
formulating a second non-linear substitution operator masked with at least part of the second list;
at least two successive implementations of a cryptographic calculation algorithm comprising N rounds of calculations carried out successively to obtain output data based on input data and of a secret key, with a data path of the cryptographic calculation algorithm being masked,
a first of the two successive implementations comprising a masking of the data path of the cryptographic calculation algorithm involving the first list of first random quantities and the masked first non-linear substitution operator, and
a second of the two successive implementations comprising a masking of the data path of the cryptographic calculation algorithm involving the second list of second random quantities and the masked second non-linear substitution operator; and
verifying consistency between the two successive implementations.
11. The method according to claim 10, wherein the verifying of the consistency comprises verifying equality between two data taken from data involved in the at least two successive implementations.
12. The method according to claim 10, wherein the second random quantities are obtained by 1-complementing the first random quantities.
13. The method according to claim 10, further comprising:
a random drawing of at least one first bit (b1);
an initial masking of the input data with the first bit to obtain masked input data,
masking the secret key with the first bit to obtain a masked secret key;
a first implementation of the cryptographic calculation algorithm involving the masked input data and the masked secret key and one of the first or second lists of random quantities and the corresponding masked first or second non-linear substitution operators;
a second implementation of the cryptographic calculation algorithm involving the masked input data and the masked secret key and the other one of the first or second lists of random quantities and the other one of the corresponding masked first or second non-linear substitution operators; and
with verifying consistency between the two successive implementations being performed on two data taken from among the data involved in the at least two successive implementations, and with the two data being masked or unmasked by the first bit.
14. The method according to claim 13, further comprising choosing one of the first or second lists of random quantities, and choosing one of the corresponding masked first or second non-linear substitution operators based on a second randomly drawn bit.
15. An electronic component comprising:
a processor configured to perform a secure cryptographic calculation comprising
formulating a first list comprising first random quantities,
formulating a first non-linear substitution operator masked with at least part of the first list,
formulating a second list determined from the first list, and comprising second random quantities respectively determined from the first random quantities,
formulating a second non-linear substitution operator masked with at least part of the second list,
at least two successive implementations of a cryptographic calculation algorithm comprising N rounds of calculations carried out successively to obtain output data based on input data and of a secret key, with a data path of the cryptographic calculation algorithm being masked,
a first of the two successive implementations comprising a masking of the data path of the cryptographic calculation algorithm involving the first list of first random quantities and the masked first non-linear substitution operator, and
a second of the two successive implementations comprising a masking of the data path of the cryptographic calculation algorithm involving the second list of second random quantities and the masked second non-linear substitution operator, and
verifying consistency between the two successive implementations.
16. The electronic component according to claim 15, wherein the verifying of the consistency by said processor comprises verifying equality between two data taken from data involved in the at least two successive implementations.
17. The electronic component according to claim 15, wherein the second random quantities are obtained by 1-complementing the first random quantities.
18. The electronic component according to claim 15, wherein said processor is further configured to perform the following:
a random drawing of at least one first bit (b1);
an initial masking of the input data with the first bit to obtain masked input data,
masking the secret key with the first bit to obtain a masked secret key;
a first implementation of the cryptographic calculation algorithm involving the masked input data and the masked secret key and one of the first or second lists of random quantities and the corresponding masked first or second non-linear substitution operators;
a second implementation of the cryptographic calculation algorithm involving the masked input data and the masked secret key and the other one of the first or second lists of random quantities and the other one of the corresponding masked first or second non-linear substitution operators; and
with verifying consistency between the two successive implementations being performed on two data taken from among the data involved in the at least two successive implementations, and with the two data being masked or unmasked by the first bit.
19. The electronic component according to claim 18, wherein said processor is further configured to choose one of the first or second lists of random quantities, and choose one of the corresponding masked first or second non-linear substitution operators based on a second randomly drawn bit.
20. The electronic component according to claim 15, wherein the electronic component is configured as a chip card.
21. A computer-readable medium comprising computer-executable instructions for causing a computer to perform steps comprising:
formulating a first list comprising first random quantities;
formulating a first non-linear substitution operator masked with at least part of the first list;
formulating a second list determined from the first list, and comprising second random quantities respectively determined from the first random quantities;
formulating a second non-linear substitution operator masked with at least part of the second list;
at least two successive implementations of a cryptographic calculation algorithm comprising N rounds of calculations carried out successively to obtain output data based on input data and of a secret key, with a data path of the cryptographic calculation algorithm being masked,
a first of the two successive implementations comprising a masking of the data path of the cryptographic calculation algorithm involving the first list of first random quantities and the masked first non-linear substitution operator, and
a second of the two successive implementations comprising a masking of the data path of the cryptographic calculation algorithm involving the second list of second random quantities and the masked second non-linear substitution operator; and
verifying consistency between the two successive implementations.
22. The computer-readable medium according to claim 21, wherein the verifying of the consistency comprises verifying equality between two data taken from data involved in the at least two successive implementations.
23. The computer-readable medium according to claim 21, wherein the second random quantities are obtained by 1-complementing the first random quantities.
24. The computer-readable medium according to claim 21, further comprising computer-executable instructions for execution of the following:
a random drawing of at least one first bit (b1);
an initial masking of the input data with the first bit to obtain masked input data,
masking the secret key with the first bit to obtain a masked secret key;
a first implementation of the cryptographic calculation algorithm involving the masked input data and the masked secret key and one of the first or second lists of random quantities and the corresponding masked first or second non-linear substitution operators;
a second implementation of the cryptographic calculation algorithm involving the masked input data and the masked secret key and the other one of the first or second lists of random quantities and the other one of the corresponding masked first or second non-linear substitution operators; and
with verifying consistency between the two successive implementations being performed on two data taken from among the data involved in the at least two successive implementations, and with the two data being masked or unmasked by the first bit.
25. The computer-readable medium according to claim 24, further comprising software code for execution of the following:
choosing one of the first or second lists of random quantities, and choosing one of the corresponding masked first or second non-linear substitution operators based on a second randomly drawn bit.
US13/441,180 2011-04-08 2012-04-06 Method of secure cryptographic calculation, in particular, against attacks of the DFA and unidirectional type, and corresponding component Active 2032-12-30 US8958556B2 (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
FR1101091 2011-04-08
FR1101091 2011-04-08
EP11306360.6 2011-10-21
EP11306360.6A EP2509252B1 (en) 2011-04-08 2011-10-21 Secured cryptographic calculation method, in particular against DFA and one-way attacks, and corresponding component
EP11306360 2011-10-21

Publications (2)

Publication Number Publication Date
US20120257747A1 true US20120257747A1 (en) 2012-10-11
US8958556B2 US8958556B2 (en) 2015-02-17

Family

ID=45023745

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/441,180 Active 2032-12-30 US8958556B2 (en) 2011-04-08 2012-04-06 Method of secure cryptographic calculation, in particular, against attacks of the DFA and unidirectional type, and corresponding component

Country Status (2)

Country Link
US (1) US8958556B2 (en)
EP (1) EP2509252B1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753664A (en) * 2013-12-31 2015-07-01 上海复旦微电子集团股份有限公司 Security encryption method and device, security decryption method and device
CN105933108A (en) * 2016-05-30 2016-09-07 清华大学 Implementation method for breaking SM4 algorithm
US10187198B2 (en) * 2015-09-02 2019-01-22 Stmicroelectronics (Rousset) Sas Protection of a rijndael algorithm
US10243728B2 (en) 2015-09-02 2019-03-26 Stmicroelectronics (Rousset) Sas Verification of the resistance of an electronic circuit to side-channel attacks
US10686598B2 (en) * 2017-02-27 2020-06-16 Cord3 Innovation Inc. One-to-many symmetric cryptographic system and method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110055591A1 (en) * 2007-12-13 2011-03-03 Oberthur Technologies Method for cryptographic data processing, particularly using an s box, and related device and software
US20110129084A1 (en) * 2009-09-29 2011-06-02 Thales Method of executing an algorithm for protecting an electronic device by affine masking and associated device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR957783A (en) 1950-02-25
FR853198A (en) 1938-04-21 1940-03-12 Budd Induction Heating Inc Improvements in heat treatment apparatus and methods and heat treated objects
FR1051205A (en) 1951-08-06 1954-01-14 Auxiliary tape recorder device adaptable to record players
FR2820576B1 (en) 2001-02-08 2003-06-20 St Microelectronics Sa ENCRYPTION METHOD PROTECTED AGAINST ENERGY CONSUMPTION ANALYSIS, AND COMPONENT USING SUCH AN ENCRYPTION METHOD

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110055591A1 (en) * 2007-12-13 2011-03-03 Oberthur Technologies Method for cryptographic data processing, particularly using an s box, and related device and software
US20110129084A1 (en) * 2009-09-29 2011-06-02 Thales Method of executing an algorithm for protecting an electronic device by affine masking and associated device

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753664A (en) * 2013-12-31 2015-07-01 上海复旦微电子集团股份有限公司 Security encryption method and device, security decryption method and device
US10187198B2 (en) * 2015-09-02 2019-01-22 Stmicroelectronics (Rousset) Sas Protection of a rijndael algorithm
US10243728B2 (en) 2015-09-02 2019-03-26 Stmicroelectronics (Rousset) Sas Verification of the resistance of an electronic circuit to side-channel attacks
CN105933108A (en) * 2016-05-30 2016-09-07 清华大学 Implementation method for breaking SM4 algorithm
US10778424B2 (en) 2017-02-27 2020-09-15 Cord3 Innovation Inc. Symmetric cryptographic method and system and applications thereof
US10742408B2 (en) 2017-02-27 2020-08-11 Cord3 Innovation Inc. Many-to-many symmetric cryptographic system and method
US10686598B2 (en) * 2017-02-27 2020-06-16 Cord3 Innovation Inc. One-to-many symmetric cryptographic system and method
US20200412533A1 (en) * 2017-02-27 2020-12-31 Cord3 Innovation Inc. Apparatus, system and method for generating and managing cryptographic keys for a symmetric cryptographic system
US10903994B2 (en) 2017-02-27 2021-01-26 Cord3 Innovation Inc. Many-to-many symmetric cryptographic system and method
US11451386B2 (en) 2017-02-27 2022-09-20 Cord3 Innovation Inc. Method and system for many-to-many symmetric cryptography and a network employing the same
US11496298B2 (en) * 2017-02-27 2022-11-08 Cord3 Innovation Inc. Many-to-many symmetric cryptographic system and method
US20230224151A1 (en) * 2017-02-27 2023-07-13 Cord3 Innovation Inc. Method and system for one-to-many symmetric cryptography and a network employing the same
US11728983B2 (en) * 2017-02-27 2023-08-15 Cord3 Innovation Inc. Apparatus, system and method for generating and managing cryptographic keys for a symmetric cryptographic system
US11818262B2 (en) * 2017-02-27 2023-11-14 Cord3 Innovation Inc. Method and system for one-to-many symmetric cryptography and a network employing the same
US20230396426A1 (en) * 2017-02-27 2023-12-07 Cord3 Innovation Inc. Communication network with cryptographic key management for symmetric cryptography

Also Published As

Publication number Publication date
US8958556B2 (en) 2015-02-17
EP2509252A1 (en) 2012-10-10
EP2509252B1 (en) 2016-08-10

Similar Documents

Publication Publication Date Title
Barenghi et al. Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures
KR102628466B1 (en) Block cryptographic method for encrypting/decrypting messages and cryptographic devices for implementing this method
Malkin et al. A comparative cost/security analysis of fault attack countermeasures
Gierlichs et al. Infective computation and dummy rounds: Fault protection for block ciphers without check-before-output
KR101680918B1 (en) Cryptography circuit protected against observation attacks, in particular of a high order
JP7076482B2 (en) How to secure cryptographic processes with SBOX from higher-order side-channel attacks
US20050273630A1 (en) Cryptographic bus architecture for the prevention of differential power analysis
US9197412B2 (en) Low-complexity electronic circuit protected by customized masking
EP2367316B1 (en) Method and circuitry for detecting a fault attack
Dassance et al. Combined fault and side-channel attacks on the AES key schedule
US9544132B2 (en) Cryptographic method for protecting a key hardware register against fault attacks
US8958556B2 (en) Method of secure cryptographic calculation, in particular, against attacks of the DFA and unidirectional type, and corresponding component
Korkikian et al. Blind fault attack against SPN ciphers
Saha et al. White-box cryptography based data encryption-decryption scheme for iot environment
US11201724B2 (en) Method to counter DCA attacks of order 2 and higher on table-based implementations
CN113014377B (en) Persistent fault attack protection method and device by utilizing bijection characteristic of block cipher S box
Karri et al. Parity-based concurrent error detection in symmetric block ciphers
Liu et al. Improving tag generation for memory data authentication in embedded processor systems
US20210165746A1 (en) System and method for protecting memory encryption against template attacks
Putra et al. Security analysis of BC3 algorithm for differential power analysis attack
Souror et al. Hybrid-Blowfish Security Strengths Using Side Channel Countermeasures
Kim et al. New Type of Collision Attack on First‐Order Masked AESs
Liu et al. iCETD: An improved tag generation design for memory data authentication in embedded processor systems
Karunakaran et al. FPGA based Fault Analysis for Encrypted Code
Van Der Merwe et al. TR-31 and AS 2805 (Non) equivalence report

Legal Events

Date Code Title Description
AS Assignment

Owner name: STMICROELECTRONICS (ROUSSET) SAS, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LIARDET, PIERRE YVAN;ROMAIN, FABRICE;SIGNING DATES FROM 20120425 TO 20120427;REEL/FRAME:028165/0051

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551)

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8